chore(deps): bump sandbox-runtime to TEE-attestation main #634
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # Allow other workflows (e.g. .github/workflows/deploy.yml) to require this | |
| # gate without copy-pasting the job graph. | |
| workflow_call: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_TOOLCHAIN: "1.91" | |
| FOUNDRY_PROFILE: default | |
| jobs: | |
| changes: | |
| name: Classify changes | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| arena: ${{ steps.decide.outputs.arena }} | |
| contracts: ${{ steps.decide.outputs.contracts }} | |
| rust: ${{ steps.decide.outputs.rust }} | |
| evals: ${{ steps.decide.outputs.evals }} | |
| full: ${{ steps.decide.outputs.full }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| if: github.event_name != 'workflow_call' | |
| with: | |
| fetch-depth: 0 | |
| - name: Collect changed files | |
| if: github.event_name != 'workflow_call' | |
| id: changed | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| BEFORE_SHA: ${{ github.event.before || '' }} | |
| BASE_REF: ${{ github.base_ref || '' }} | |
| run: | | |
| set -euo pipefail | |
| changed_file_list="$(mktemp)" | |
| if [ "$EVENT_NAME" = "pull_request" ]; then | |
| git fetch --no-tags --depth=1 origin "$BASE_REF:refs/remotes/origin/$BASE_REF" | |
| git diff --name-only "origin/$BASE_REF" "$GITHUB_SHA" > "$changed_file_list" | |
| elif [ -n "$BEFORE_SHA" ] && ! [[ "$BEFORE_SHA" =~ ^0+$ ]]; then | |
| git diff --name-only "$BEFORE_SHA" "$GITHUB_SHA" > "$changed_file_list" | |
| else | |
| git diff-tree --no-commit-id --name-only -r "$GITHUB_SHA" > "$changed_file_list" | |
| fi | |
| { | |
| echo 'files<<EOF' | |
| cat "$changed_file_list" | |
| echo 'EOF' | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Decide CI lanes | |
| id: decide | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| CHANGED_FILES: ${{ steps.changed.outputs.files || '' }} | |
| run: | | |
| set -euo pipefail | |
| full=false | |
| arena=false | |
| contracts=false | |
| rust=false | |
| evals=false | |
| ci=false | |
| while IFS= read -r file; do | |
| [ -n "$file" ] || continue | |
| case "$file" in | |
| arena/*|.github/workflows/deploy-arena.yml) | |
| arena=true | |
| ;; | |
| esac | |
| case "$file" in | |
| contracts/*|deployments/*|foundry.toml|slither.config.json) | |
| contracts=true | |
| ;; | |
| esac | |
| case "$file" in | |
| .cargo/*|Cargo.toml|Cargo.lock|patches/*|scripts/*|trading-*/*) | |
| rust=true | |
| ;; | |
| esac | |
| case "$file" in | |
| evals/*|package.json|package-lock.json|tsconfig.json|tsconfig.*.json) | |
| evals=true | |
| ;; | |
| esac | |
| case "$file" in | |
| .github/workflows/ci.yml) | |
| ci=true | |
| ;; | |
| esac | |
| done <<< "$CHANGED_FILES" | |
| # Reusable deploy gates must remain conservative: contract deployment | |
| # calls this workflow before broadcasting, so it gets the full suite. | |
| if [ "$EVENT_NAME" = "workflow_call" ] || [ "$ci" = "true" ]; then | |
| full=true | |
| arena=true | |
| contracts=true | |
| rust=true | |
| evals=true | |
| fi | |
| echo "full=$full" >> "$GITHUB_OUTPUT" | |
| echo "arena=$arena" >> "$GITHUB_OUTPUT" | |
| echo "contracts=$contracts" >> "$GITHUB_OUTPUT" | |
| echo "rust=$rust" >> "$GITHUB_OUTPUT" | |
| echo "evals=$evals" >> "$GITHUB_OUTPUT" | |
| arena: | |
| name: Arena UI | |
| needs: changes | |
| if: needs.changes.outputs.arena == 'true' | |
| runs-on: ubuntu-latest | |
| env: | |
| TZ: America/Denver | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: pnpm/action-setup@v6 | |
| with: | |
| version: 10 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: pnpm | |
| cache-dependency-path: arena/pnpm-lock.yaml | |
| - name: Install dependencies | |
| working-directory: arena | |
| run: pnpm install --frozen-lockfile | |
| - name: Typecheck | |
| working-directory: arena | |
| run: pnpm run typecheck | |
| - name: Test | |
| working-directory: arena | |
| run: pnpm run test | |
| - name: Build | |
| working-directory: arena | |
| run: pnpm run build | |
| - name: Fixture smoke | |
| working-directory: arena | |
| run: pnpm run smoke:agent-workspace -- --fixture | |
| # ── Solidity ────────────────────────────────────────────────────────────── | |
| forge: | |
| name: Forge build + test | |
| needs: changes | |
| if: needs.changes.outputs.contracts == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| - uses: foundry-rs/foundry-toolchain@v1 | |
| with: | |
| version: v1.5.1 | |
| - name: Install Soldeer deps | |
| run: forge soldeer install | |
| - name: Build | |
| run: forge build | |
| - name: Test | |
| run: forge test -vvv | |
| - name: Fuzz (256 runs) | |
| run: forge test --match-path "contracts/test/fuzz/*" -vvv | |
| # ── Rust ────────────────────────────────────────────────────────────────── | |
| rust: | |
| name: Rust check + test | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| components: rustfmt, clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| # Check our crates (not --workspace: bin crates pull in heavier | |
| # deployment-only dependencies). | |
| # | |
| # `trading-blueprint-bin` is checked + tested here. Sibling-repo drift | |
| # on `ai_agent_sandbox_blueprint_lib::workflows::*` is bridged by the | |
| # `crate::workflow_compat` shim, which re-implements the removed | |
| # per-run history surface as bin-local in-memory storage. | |
| - name: Check | |
| run: | | |
| cargo check -p trading-runtime | |
| cargo check -p trading-http-api | |
| cargo check -p trading-validator-lib | |
| cargo check -p trading-blueprint-lib | |
| cargo check -p trading-blueprint-bin --tests | |
| - name: Test (trading-validator-lib) | |
| run: cargo test -p trading-validator-lib --lib | |
| - name: Test (trading-runtime) | |
| run: cargo test -p trading-runtime --lib | |
| - name: Test (trading-http-api) | |
| run: cargo test -p trading-http-api | |
| - name: Test (trading-blueprint-lib) | |
| run: cargo test -p trading-blueprint-lib --lib | |
| - name: Test (trading-blueprint-bin operator_api) | |
| run: cargo test -p trading-blueprint-bin --test operator_api_tests | |
| clippy: | |
| name: Clippy | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| - name: Clippy | |
| run: | | |
| cargo clippy -p trading-runtime -- -D warnings | |
| cargo clippy -p trading-http-api -- -D warnings -A clippy::collapsible-if | |
| cargo clippy -p trading-validator-lib -- -D warnings | |
| cargo clippy -p trading-blueprint-lib -- -D warnings -A clippy::collapsible-if -A clippy::manual-inspect -A clippy::needless-question-mark -A clippy::too-many-arguments | |
| cargo clippy -p trading-blueprint-bin --tests -- -D warnings -A clippy::collapsible-if -A clippy::manual-inspect -A clippy::needless-question-mark -A clippy::too-many-arguments | |
| fmt: | |
| name: Rustfmt | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| components: rustfmt | |
| - name: Format check | |
| run: cargo fmt --all -- --check | |
| # ── Security audit ──────────────────────────────────────────────────────── | |
| audit: | |
| name: Security audit | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| - name: Install cargo-audit | |
| run: cargo install cargo-audit --locked | |
| - uses: Swatinem/rust-cache@v2 | |
| # Ignore known transitive advisories from blueprint-sdk -> substrate deps. | |
| # These come through libp2p, ring, aws-lc-sys, and legacy rustls stacks | |
| # pulled in via Blueprint git dependencies; tracked upstream. | |
| - name: Run audit | |
| run: | | |
| cargo audit \ | |
| --ignore RUSTSEC-2021-0141 \ | |
| --ignore RUSTSEC-2024-0384 \ | |
| --ignore RUSTSEC-2024-0388 \ | |
| --ignore RUSTSEC-2024-0436 \ | |
| --ignore RUSTSEC-2025-0009 \ | |
| --ignore RUSTSEC-2025-0010 \ | |
| --ignore RUSTSEC-2025-0012 \ | |
| --ignore RUSTSEC-2025-0055 \ | |
| --ignore RUSTSEC-2025-0111 \ | |
| --ignore RUSTSEC-2025-0134 \ | |
| --ignore RUSTSEC-2025-0141 \ | |
| --ignore RUSTSEC-2025-0161 \ | |
| --ignore RUSTSEC-2026-0002 \ | |
| --ignore RUSTSEC-2026-0044 \ | |
| --ignore RUSTSEC-2026-0048 \ | |
| --ignore RUSTSEC-2026-0049 \ | |
| --ignore RUSTSEC-2026-0067 \ | |
| --ignore RUSTSEC-2026-0068 \ | |
| --ignore RUSTSEC-2026-0097 \ | |
| --ignore RUSTSEC-2026-0098 \ | |
| --ignore RUSTSEC-2026-0099 \ | |
| --ignore RUSTSEC-2026-0104 \ | |
| --ignore RUSTSEC-2026-0118 \ | |
| --ignore RUSTSEC-2026-0119 | |
| # ── Evals (TypeScript) ──────────────────────────────────────────────────── | |
| evals: | |
| name: Evals typecheck | |
| needs: changes | |
| if: needs.changes.outputs.evals == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Typecheck evals | |
| run: npx tsc -p evals/tsconfig.json --noEmit | |
| ci-gate: | |
| name: CI Gate | |
| needs: [changes, arena, forge, rust, clippy, fmt, audit, evals] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check required lanes | |
| env: | |
| CHANGES_RESULT: ${{ needs.changes.result }} | |
| ARENA_NEEDED: ${{ needs.changes.outputs.arena }} | |
| CONTRACTS_NEEDED: ${{ needs.changes.outputs.contracts }} | |
| RUST_NEEDED: ${{ needs.changes.outputs.rust }} | |
| EVALS_NEEDED: ${{ needs.changes.outputs.evals }} | |
| ARENA_RESULT: ${{ needs.arena.result }} | |
| FORGE_RESULT: ${{ needs.forge.result }} | |
| RUST_RESULT: ${{ needs.rust.result }} | |
| CLIPPY_RESULT: ${{ needs.clippy.result }} | |
| FMT_RESULT: ${{ needs.fmt.result }} | |
| AUDIT_RESULT: ${{ needs.audit.result }} | |
| EVALS_RESULT: ${{ needs.evals.result }} | |
| run: | | |
| set -euo pipefail | |
| failed=false | |
| if [ "$CHANGES_RESULT" != "success" ]; then | |
| echo "::error::Change classification failed with result '$CHANGES_RESULT'" | |
| exit 1 | |
| fi | |
| require_success() { | |
| local label="$1" | |
| local needed="$2" | |
| local result="$3" | |
| if [ "$needed" = "true" ] && [ "$result" != "success" ]; then | |
| echo "::error::$label required but finished with result '$result'" | |
| failed=true | |
| fi | |
| } | |
| require_success "Arena UI" "$ARENA_NEEDED" "$ARENA_RESULT" | |
| require_success "Forge build + test" "$CONTRACTS_NEEDED" "$FORGE_RESULT" | |
| require_success "Rust check + test" "$RUST_NEEDED" "$RUST_RESULT" | |
| require_success "Clippy" "$RUST_NEEDED" "$CLIPPY_RESULT" | |
| require_success "Rustfmt" "$RUST_NEEDED" "$FMT_RESULT" | |
| require_success "Security audit" "$RUST_NEEDED" "$AUDIT_RESULT" | |
| require_success "Evals typecheck" "$EVALS_NEEDED" "$EVALS_RESULT" | |
| if [ "$ARENA_NEEDED" != "true" ] && [ "$CONTRACTS_NEEDED" != "true" ] && [ "$RUST_NEEDED" != "true" ] && [ "$EVALS_NEEDED" != "true" ]; then | |
| echo "No code lanes changed; CI gate is green." | |
| fi | |
| if [ "$failed" = "true" ]; then | |
| exit 1 | |
| fi |